A short vacation with mobile devices challenged us to keep up with our exploding business. The problem was that we couldn't successfully send emails. Recipients did not get them! Confirmatory blind copies were received by us. But none of the recipients received them.

We looked at and compared settings. We checked our original emails.

We uninstalled and reinstalled passwords.

We visited the Apple store three times (but just the Genius Bar once).

We gave up and went to bed and a few minutes later popped out of bed and asked questions to ourselves such as: How can I possibly receive an email, but not send one? What are all those settings?

As with every modern software, there are many supporting layers. Each layer in isolation can work, perfectly, according to the customer service representative who owns that layer, so fault must lie elsewhere. One wonders—“Not my job, Man…”

After a little rest and the resulting infusion of patience, we started over. Tediously and carefully we went to websites and forums. We learned a lot and want to share it with you. Hopefully, we can Pay Forward this time for you.

First, a warning: email cannot be used for medical collaboration. Review of Accountable Care Plans has shown recognition, but is not a plan for resolution of this problem. iClickCare can resolve the issue immediately, but it is something new, so why can regular email not be used?

Think of email as a postcard. Turn it over, and the message and address can be read. Even if it incorporates SSL (secure email), it has three points of failure.

It is unencrypted and not password protected on the originator's desktop (or phone).

Transmission is encrypted, but all the intermediate relays store the email in its pure form.

The recipient has it stored in plain view, not password protected, on his/her desktop (or phone).

As they say, we have an app for that, iClickCare, (actually a complete system), but we use email all of the time, so let us share what we found. Looking at email settings is scary and unfamiliar to most of us. To ease this, we will list some definitions and note some principles for thinking. They might not please computer scientists, but they will help you get the job done.

There are three settings that need to be addressed.

Basic identifiers.

Incoming settings.

Outgoing settings.

Basic: The purpose of the basic settings is obvious: who are you anyway? Use your complete email address -- include everything both before and after the "@" sign. Did we mention spelling? We should have.

Incoming: The purpose of the incoming settings is to give a software protocol (list of agreed upon terms) with which to work. The protocols have two versions: POP and IMAP. References are below. POP is Post Office Protocol and IMAP is Internet Mail Protocol. POP is older and simpler. IMAP is newer and more complex. Both retrieve the message from the server and manage mailboxes; POP deletes the original message and IMAP keeps a copy of the message on the server.

Outgoing: SMTP is Simple Mail Transfer Protocol. It is a delivery protocol only and yet a third area for settings. An advanced setting is the Port. This is the entry door (Portal) that the host server has left open to allow the SMTP-based message through which to enter.

Email is not so easy after all. But now you know the only terms and principles to allow you to set it up for any message that does not need HIPAA compliance and security for medical collaboration.

These are references and instructions specific to many common servers or ISPs.

Thus, incoming emails are set with a POP or IMAP protocol and outbound ones are set with SMTP. After understanding that, it is a matter of just filling in the blanks. If you would like to learn more about iClickCare and how it makes secure medical collaboration delightful and easy, then start with the ClickCare home page.

There are both moral and regulatory reasons to protect our patients' privacy.

HIPAA and HITECH, at times, seem to be over the top. The regulations have certainly been interpreted, reinterpreted, over implemented, and a plethora of “saviors” has created an entire industry around them. I doubt some of the extreme responses to fear of enforcement and fear of technology are intentional, but never-the-less, we live with the unintended consequences that make our day difficult at best, impossible at worst.

That said, there seems to be 3 active responses by providers:

Ignoring the rules.

Never confronting the problem by never coming out of one's silo.

Begrudgingly, following the rules, but hurting the patient.

How many times have you heard (or said):

“I just send an email.”

“I just send an email, but I asked the patient.”

“I am the doctor (nurse, therapist), I do what is right, the rules are stupid and don’t matter.”

These are dangerous (to self and patient) responses to an impossible situation. There will be continuing enforcement, and there are easier solutions. We offer a good one.

Review this graphic from OnLine Tech. First, HIPAA audits are funded. $9.2 million to KPMG for 150 audits and $182,000 to Booz Allen Hamilton for Audit Candidate Identification. The funds come from the Office of CIvil Rights. Completion date is 12/31/2012.

The most common types of covered entities that have been required to take corrective action to achieve voluntary compliance are, in order of frequency:

Private Practices;

General Hospitals;

Outpatient Facilities;

Health Plans (group health plans and health insurance issuers); and,

Pharmacies.

Most of these are easily solved. If one removes the simple Physical causes (77%), then the risk of violation is now left to Hacking (6%) and Unauthorized access/disclosure (16%) and unknown at !%.No one is immune from hacking, although ClickCare works hard to protect against that. No one has to use email and risk enforcement, and as you see above, it is the small guys who top the list.

The message here:

This is real.

This is significant.

This is avoidable.

We owe our patients more than protecting ourselves by opting out. There is an inexpensive and easy solution.

The United States Congress passed the Health Insurance Portability and Accountability Act, commonly known as HIPAA in 1996. For the very first time, security standards came into existence to protect health information. Then, in 2009, the scope and complexity of HIPAA was extended with the presentation of the Health Information Technology for Economic and Clinical Health Act (HITECH).

Both HIPAA and HITECH have risen to great importance with the health industry’s continual acceptance of electronic information systems.

Electronic data date systems and applications and electronic health records (EHRs or EMR’s), have considerably upgraded billing, surveillance and productivity. However, new security threats have arisen as well. As compared to paper charts, electronic health information is at greater risk of being distributed, tampered with or stolen which could lead to public disclosure.

In order to eradicate these threats, strict standards governing security and privacy were implemented by HIPAA and HITECH. Consequently, anyone who transmits any information in electronic form is required to comply with the standards implemented by the Department of Health and Human Services.

Both HIPAA and HITECH are similar rules: They address the safekeeping and discretion of healthcare protocols. Both Acts contain privacy requirements and have numerous effects on research and clinical care. But, the additions are important. For example:

* Section D of the HITECH Act will have significant and varied ramifications on health care participants. Four tiers of culpability and penalty are listed.

* HITECH restructures and strenghtens civil and criminal consequences for non-compliance. These are significant with the fine being $50,000 for each violation, not to exceed $1,500,000 for the calendar year. Prison terms have been issued as well. * HITECH necessitates justifying the disclosure of PHI (Protected Health Information), even when it is done for healthcare treatment and billing.

What does this mean practically?Email cannot be used unless it is within a closed and secure system. However, secure email is not only inadequate for retrieval and study, but it is also awkward to use and available only to a few participants tightly controlled within a system. Standard email meets no HIPAA requirements whatsoever. Beyond being public, it is increasingly the fodder of search engines. To place oneself above the law because of the perception of the higher importance of medical care and patient permission is not good for any of us.

There’s a need for a platform that provides an all-inclusive structure to help organizations restructure and systematize all facets of HIPAA/HITECH compliance. Among other things, this would ease time-tracking, email notices and operative effectiveness with the goal of condensing the time and energy necessary for security compliance.

In summary, HIPAA and HITECH are two powerful entities. They should be handled with extreme caution as they are mission critical to America’s healthcare and its people.